| Message ID | 20190715150814.20022-1-tranmanphong@gmail.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | f384e62a82ba5d85408405fdd6aeff89354deaa9 |
| Headers | show |
| Series | ISDN: hfcsusb: checking idx of ep configuration | expand |
From: Phong Tran <tranmanphong@gmail.com> Date: Mon, 15 Jul 2019 22:08:14 +0700 > The syzbot test with random endpoint address which made the idx is > overflow in the table of endpoint configuations. > > this adds the checking for fixing the error report from > syzbot > > KASAN: stack-out-of-bounds Read in hfcsusb_probe [1] > The patch tested by syzbot [2] > > Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com > > [1]: > https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522 > [2]: > https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ > > Signed-off-by: Phong Tran <tranmanphong@gmail.com> Applied.
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index 4c99739b937e..0e224232f746 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1955,6 +1955,9 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) /* get endpoint base */ idx = ((ep_addr & 0x7f) - 1) * 2; + if (idx > 15) + return -EIO; + if (ep_addr & 0x80) idx++; attr = ep->desc.bmAttributes;
The syzbot test with random endpoint address which made the idx is overflow in the table of endpoint configuations. this adds the checking for fixing the error report from syzbot KASAN: stack-out-of-bounds Read in hfcsusb_probe [1] The patch tested by syzbot [2] Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com [1]: https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522 [2]: https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ Signed-off-by: Phong Tran <tranmanphong@gmail.com> --- drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++ 1 file changed, 3 insertions(+)